Tag: security

The Problem

I wanted to use LetsEncrypt to install a free SSL certificate on a website (call it “mywebsite.com” for this example) that runs on a CentOS 6.7 VM. I downloaded the LetsEncrypt client and ran my command to download a cert that I would configure in Nginx.

I had done this previously on Ubuntu 14.04 without any problem. On CentOS 6.7, I was greeted by this error:

WARNING: Python 2.6 support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

It isn’t actually clear what this error means. Did it actually do anything? Is it just informational? Turns out, what it is saying is that the LetsEncrypt client is not compatible with Python 2.6 – it requires Python 2.7 and above. This is a big problem for CentOS 6 as the basic tools of the operating system (‘yum’ for instance) rely on Python 2.6. You will completely bork your system if you replace Python 2.6 with Python 2.7. This applies for RedHat Enterprise Linux (RHEL) 6 as well.

The Solution

Software Collections! Good luck figuring out what these are from any of the RedHat documentation. Software Collections are actually a way to install multiple versions of software on a CentOS or RHEL server without resorting to compiling from source or Docker containers. What it means for us is that we can install Python 2.7 on this same server and only activate it when running LetsEncrypt. The default Python version on the system will remain 2.6.

Check and make sure the default Python version is what you started with

[~]# python -V
Python 2.6.6

Now comes the fun stuff. If you look in /opt/rh/python27/root/, you’ll see yum has created a whole system directory structure, complete with /etc, /var, /home, /bin, etc. This is where your simulated system for Python 2.7 lives. Your Python 2.7 configuration files, log files, binary files – these are all within this “fake” directory structure. Python 2.7 lives entirely in here and will not impact anything in the normal system structure.

To activate and use Python 2.7, we need to run the commands through the SCL system like so:

We need to use quotes in this case to identify the entire letsencrypt client string and configuration flags as part of the single command. To see a full list of what scl can do, use

scl --help

At this point, the LetsEncrypt client should run just like normal, using Python 2.7. Your certificate will be downloaded and the LetsEncrypt client will exit without error. If you want to do some debugging and have a shell with Python 2.7 as your default Python, try

scl enable python27 bash

In that shell, everything you do will use Python 2.7. Simply type “exit” to jump back to the regular shell and Python 2.6.

Now that we know how to activate Python 2.7, we can automate certificate renewal via a cron job. I put this in /etc/crontab, but it would work fine if put into “crontab -e”